I personally think the rather low risk is not worth the inconvinence, especially since many uses of the API are unauthenticated.
If we did it, i think we should only do it for requests that actually have credentials attached (cookie or oauth) Just my 2 cents. -- Brian On Wednesday 29 May 2024, psnbaotg via Wikitech-l < wikitech-l@lists.wikimedia.org> wrote: > I noticed an interesting post on Hacker News: > https://news.ycombinator.com/item?id=40504756 (https://jviide.iki.fi/http- > redirects) > > Basically, this article argues that for reasons, API should "fail early", > such as returning with 403 and revoking all credentials sent via plain > text, rather than redirecting all HTTP requests to HTTPS. > > In my humble opinion, this article's point make perfect sense. Because we > cannot expect an arbitrary client to follow HSTS and a simple typo can > cause serious credential leak. > > I found that all our APIs (action API, Wikimedia REST, and even Wikimedia > Enterprise) are doing redirects: > > ``` > $ curl -I "http://en.wikipedia.org/api/rest_v1/page/title/Earth" > HTTP/1.1 301 Moved Permanently > content-length: 0 > location: https://en.wikipedia.org/api/rest_v1/page/title/Earth > server: HAProxy > x-cache: cp5023 int > x-cache-status: int-tls > connection: close > > $ curl -I "http://en.wikipedia.org/w/api.php?action=query&prop= > info&titles=Earth" > HTTP/1.1 301 Moved Permanently > content-length: 0 > location: https://en.wikipedia.org/w/api.php?action=query&prop= > info&titles=Earth > server: HAProxy > x-cache: cp5023 int > x-cache-status: int-tls > connection: close > > $ curl -I http://api.enterprise.wikimedia.com/v2/snapshots > HTTP/1.1 301 Moved Permanently > Server: awselb/2.0 > Date: Wed, 29 May 2024 10:03:24 GMT > Content-Type: text/html > Content-Length: 134 > Connection: keep-alive > Location: https://api.enterprise.wikimedia.com:443/v2/snapshots > > ``` > > I'm asking security folks, should we consider making above changes, like > those services listed in the article? Thanks you. > > Best regards, > diskdance > _______________________________________________ > Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org > To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org > https://lists.wikimedia.org/postorius/lists/wikitech-l. > lists.wikimedia.org/ >
_______________________________________________ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/